This page last changed on Feb 21, 2008.
edocs Home > BEA AquaLogic Data Services Platform 3.0/3.2 Documentation > ALDSP 3.2 New Features Documentation Encryption-Based Data Redaction ExamplesThis topic provides several examples showing how encryption-based data redaction works when performing common operations. Example Data Service FunctionsThe examples in this topic make use of the following data services: Entity data service CustomerDS - The data service returns information about a customer conforming to the following schema: CUSTOMER SSN: xs:string FIRST NAME: xs:string LAST NAME: xs:string CUSTOMER_SINCE: xs:date The information is exposed through the public read function getCUSTOMERS(), which returns data similar to the following: <CUSTOMER> <SSN>123-45-6789</SSN> <FIRST_NAME>John</FIRST_NAME> <LAST_NAME>Smith</LAST_NAME> <CUSTOMER_SINCE>2007-10-10</CUSTOMER_SINCE> </CUSTOMER> Entity data service OrderDS - The data service returns information about a customer order conforming to the following schema: ORDER ORDER_ID: xs:integer CUSTOMER_SSN: xs:string DATE: xs:date STATUS: xs:string The information is exposed through the public read function getORDERS(), which returns data similar to the following: <ORDER> <ORDER_ID>1000</ORDER_ID > <CUSTOMER_SSN>123-45-6789</CUSTOMER_SSN> <DATE>2007-10-10</DATE> <STATUS>CLOSED</STATUS> </ORDER> <ORDER> <ORDER_ID>2000</ORDER_ID > <CUSTOMER_SSN>123-45-6789</CUSTOMER_SSN> <DATE>2007-11-11</DATE> <STATUS>OPEN</STATUS> </ORDER> Example ResultsProjection of an Encrypted FieldAssuming that encryption-based data redaction has been configured for the SSN field in data service CustomerDS, the direct function call getCUSTOMERS() returns the following: <CUSTOMER> <SSN>sjdlkggdlaklakskjfgk</SSN> <FIRST_NAME>John</FIRST_NAME> <LAST_NAME>Smith</LAST_NAME> <CUSTOMER_SINCE>2007-10-10</CUSTOMER_SINCE> </CUSTOMER> Note that the value of the SSN field is encrypted and unique for each distinct SSN. Predicate Against an Encrypted FieldAssuming that encryption-based data redaction has been configured for the SSN field in data service CustomerDS, the following XQuery query returns (): for $x in p:getCUSTOMERS() where $x/SSN eq "123-45-6789" return $x This is because a match is attempted between an unencrypted value and the encrypted SSN value. Outer Join on Encrypted FieldsConsider the following XQuery query that performs an outer join: for $x in p:getCUSTOMERS() return <CUSTOMER> <SSN>{fn:data($x/SSN)}</SSN> { for $y in q:getORDERS() where $x/SSN eq $y/CUSTOMER_SSN return <ORDER_ID>{fn:data($y/ORDER_ID)}</ORDER_ID> } </CUSTOMER> Assuming that encryption-based data redaction has been configured for both the SSN field in CustomerDS and the CUSTOMER_SSN field in OrderDS, the query returns the following: <CUSTOMER> <SSN>sjdlkggdlaklakskjfgk</SSN> <ORDER_ID>1000</ORDER_ID > <ORDER_ID>2000</ORDER_ID > </CUSTOMER> Notice that the outer join is performed as if encryption was not set. Note also that the value of the secured element in the result is encrypted. Join Encrypted Field With Non-Encrypted FieldAssuming that encryption-based data redaction has been configured for the SSN field in data service CustomerDS but not on data service OrderDS, consider the following XQuery query that joins an encrypted field with a non-encrypted field: for $x in p:getCUSTOMERS() return <CUSTOMER> <SSN> {fn:data($x/SSN)} </SSN> { for $y in q:getORDERS() where $x/SSN eq $y/CUSTOMER_SSN return <ORDER_ID> {fn:data($y/ORDER_ID)} </ORDER_ID> } </CUSTOMER> The query returns (). Note that the outer join fails to return any results because the encrypted value of SSN does not match the non-encrypted value of CUSTOMER_SSN. Group by an Encrypted FieldConsider the following SQL query that includes a group by clause: SELECT CUSTOMER_SSN, COUNT(*y) FROM ORDERS GROUP BY CUSTOMER_SSN Assuming that encryption-based data redaction has been configured for the CUSTOMER_SSN field in data service OrderDS and the getOrders() function has been mapped to the SQL table ORDERS, the SQL query returns the following: (sjdlkggdlaklakskjfgk, 2) Notice that the group by clause performs as if encryption was not set. Note also that the value of the secured column in the result is encrypted. See AlsoConceptsHow-TosReference |
Document generated by Confluence on Apr 28, 2008 16:19 |